IT Policies That Protect You—and Pay You

6 Apr

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

How Business Accountants in Practice can turn risk into revenue

Let’s be honest, most small firms and their clients have terrible IT hygiene.
No clear password rules. No formal remote work policy. Staff using personal devices to access client files. Backups that haven’t worked since 2021. And yet we expect to keep SARS happy, stay POPIA-compliant, and retain client trust?

It’s a ticking time bomb—and also a business opportunity.

As a Business Accountant in Practice, you already handle sensitive financial data. You’re the one your clients turn to for compliance, risk, and advice. So here’s the big question:
Why aren’t you helping them protect that data with proper IT policies—and charging for it?

The Real Risk: No Policy = No Protection

Let’s break it down. Every business today, including your, relates to technology. But most don’t have formal rules for how it’s used. That leaves them exposed. Not just to data breaches, but also to fines, downtime, and damaged client relationships.

Here’s what’s typically missing:

No Acceptable Use Policy: Employees browse unsafe sites, download risky software, or plug in random USBs.
No BYOD Policy: Staff use personal devices for work with no security controls.
No Access Controls: Former employees still have login credentials.
No Backups: One ransomware attack and everything’s gone.

Sound familiar? If you’re not protected, you can’t expect your clients to be. And the kicker? When things go wrong, guess who they call first. You.

Why This Matters for Accountants in Practice

Your practice is a data hub. You receive, store, and process highly confidential information every day. That puts you under POPIA, under the microscope of regulators—and under pressure from clients who expect professional-level protection.

If you don’t have basic IT policies in place, you're not just risking your own business. You're also missing out on a way to serve your clients better and get paid for it.

The Shift: From Accountant to Trusted Risk Advisor

Here’s the good news. You don’t need to be an IT expert to help clients build safer systems. You just need the right framework—and the ability to speak their language.

The goal isn’t to sell firewalls or software. It’s to:

Identify where they’re exposed (most are)
Put basic policies in place to reduce risk
Show them how that keeps them compliant
Offer this as part of your advisory service

And yes—you can charge for it.

The 16 IT Policies Every Small Business Needs

If you’re going to protect your own practice (and help your clients), you need to understand the essentials. Here are the 16 policies every business should have:

Acceptable Use Policy (AUP) – Rules for using company email, internet, and systems.
Access Control Policy – Who can access which systems, and how it’s approved.
Password Policy – Strength, expiry, storage, and MFA (multi-factor authentication).
Remote Work Policy – Clear expectations and security protocols for working from home.
Bring Your Own Device (BYOD) Policy – Safe use of personal devices for work purposes.
Data Backup and Recovery Policy – Frequency, storage, and recovery plans.
Incident Response Policy – What to do when things go wrong (breach, hack, etc.).
Disaster Recovery & Continuity – How to keep running after a major disruption.
Email and Communication Policy – Prevent risky communication practices.
Software Installation Policy – Avoid malware and licensing issues.
Data Classification Policy – Identify and protect confidential vs public data.
Network Security Policy – Wi-Fi, firewall, VPN, and access safeguards.
Mobile Device Management – Track and secure phones/tablets.
Cloud Usage Policy – Secure cloud storage and collaboration.
IT Asset Management Policy – Track all devices, licenses, and software.
Third-Party Access Policy – Vendor access rules, contracts, and monitoring.

That’s your checklist. If you don’t have these in your firm, you’re at risk. If your clients don’t have them, that’s a business conversation waiting to happen.

Real Examples: What This Looks Like in Practice

Case 1:
An admin assistant downloads a client file to their personal laptop. That laptop gets stolen from a car. There was no encryption, no backup, no remote wipe capability. The client’s data is now in the wild.
Result: POPIA breach, angry client, and lost trust.

Case 2:
A small business has remote staff logging in through unsecured Wi-Fi with shared passwords. The accountant sees the risk and offers an “IT Policy Setup Pack”: BYOD, access control, and backup strategy.
Result: The client pays R3,000 for the service and adds it to their retainer.

How to Package and Price It

You don’t need to overcomplicate it. Start small. Offer a basic “IT Risk Review” to existing clients. Ask five questions:

Do you use personal devices for client work?
How often do you back up your data?
Who has access to your systems?
What happens if a device is lost or stolen?
Do you have written IT policies?

Then offer:

A once-off IT Policy Setup Service (R2,500–R5,000 depending on size)
A bundled Compliance & IT Policy Review with financial statements
A retainer add-on: 1 policy review or update per year

Use the same templates you created for your own practice. That’s the beauty of it—it’s scalable and repeatable.

How to Sell It to Clients

Don’t lead with tech. Lead with risk and compliance. Say:

“If you were hit with a data breach, would you know what to do?
If SARS or the Information Regulator asked about your IT policies, do you have anything in writing?”

Use a checklist, a quick quiz, or a policy review as a conversation starter. Once they see the gaps, most clients will ask for help.

Final Word: Protect. Advise. Earn.

As a Business Accountant in Practice, your job isn’t just to reconcile figures and file returns. You’re a key advisor in your clients’ risk landscape. IT policy is part of that.

By offering IT policy guidance: